System and method for verifying user identity in a virtual environment

ABSTRACT

Systems and methods for verifying user identity in a virtual environment are provided that may include the use of a trusted third party to perform identity verification. Devices may be configured such that the device is unalterably bound to a particular user via biometric data stored on the device and/or with the third party.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application claims priority under 37 CFR § 1.78(a) to U.S.Provisional Application No. 62/114,938 filed Feb. 11, 2015, and is acontinuation-in-part of U.S. application Ser. No. 13/303,667, filed Nov.23, 2011, and issued as U.S. Pat. No. 9,159,187 on Oct. 13, 2015, whichclaims priority under 37 CFR § 1.78(a) to U.S. Provisional Application61/416,526, filed Nov. 23, 2010, the contents of all of which are herebyincorporated by reference in their entireties.

BACKGROUND OF THE INVENTION

The internet cybercrime problem can be illustrated by comparing cybersecurity to sports. In any sport, individuals or teams compete in a gamewith rules. Without exception, sporting events from baseball to theOlympic Games require a 3rd party to act as an independent arbitrator,ensuring that the rules of the game are enforced.

When managers of highly sensitive government networks, financialinstitution websites, electronic health records (EHR) contractors, oronline retailers allow employees or customers access to their cyberinfrastructure, the relationship is naturally adversarial in a waysimilar to a sporting event. In order for a computer network controllerto grant an employee access to a remote workstation, the employee mustconfirm their identity by using a password, biometric scan, or 2-factorlogin procedure. The network controller and employee are, at the momentof the identity verification, opponents on a cyber-playing field. Themissing element in this scenario is an independent 3rd party to act as a‘referee.’

Of the current methods used for online identity verification, passwordsare by far the weakest. Alternatives to passwords include Kerberos2-factor authentication and conventional biometric methods integratedinto modern smartphones and other computing devices (e.g. Apple iPhone5S™). Neither of these methods are completely trustworthy since the 2factors or the smartphone can be transferred to another person withoutthe knowledge of computer network administrators granting accessprivileges or internet websites requiring identity verification. Eventhough a smartphone uses biometric methods, the original owner of thedevice may choose to reset or be coerced into resetting the device'sbiometric reference to that of another person.

Another problem is illustrated by recognizing that a secure computingdevice (e.g. smartphone) might be lost and then found by a skilledtechnician who might disassemble the device and compromise any sensitivedata stored inside.

Presently, cybersecurity of EHRs is less robust than consumers mightexpect. One problem is the state of EHRs when they are in storage ‘atrest’ and in transit. Encryption is used but the owner of the keys usedto encrypt this data is typically not the person (patient) to whom theEHRs belong.

With online payments, consumers are sometimes frustrated by burdensomeprocedures involved in cancelling services which are paid from creditcards or other financial accounts at regular, recurring intervals.Sometimes, a recurring draw against an account occurs due to fraud or bymistake.

Finally, younger citizens are typically much more technology savvy thanprevious generations and prefer to conduct much of their personalbusiness through online means. Online voting in political elections isno different. Some theorize that low voter participation by youngercitizens is due in part to the trouble of having to travel to a physicallocation to cast an in-person vote. Online voting is one of many caseswhere reliable proof of identity at the moment of action is vital.Online voting cannot emerge without a comprehensive solution tofraud-proof identity verification.

The ability of criminals and cyber-terrorists to infiltrate supposedlywell-defended computer networks is well known. In order to successfullybreach cyber defenses, criminals or terrorists must execute actionsagainst computer hardware and software that is typically under thecomplete control of third parties which may include innocentindividuals, businesses, or government agencies. As a result, billionsof dollars are spent on countermeasures and recovery from breaches.

Less widely recognized problems are also inherent in other onlineactivities, such as those that involve wagering, and other transfers offunds between individuals, such as may occur in online versions ofpoker, etc.

By way of example, in internet poker, 2 to 10 people typically play eachother across a ‘virtual’ poker table. The game is managed from serversoperated by an internet poker service provider (or ‘poker website’). Thepoker website manages communications to and from remote computers thatare under the near complete control of the players. It is on thegraphical displays of these remote computers that the virtual pokertable, avatars for other players, and card graphics are made visible tothe player. For innocent players the fact that they control their owncomputers is of no consequence. But if the ‘player’ as known to thepoker website and its regulators is a ‘money mule’ paid by a terror orcrime organization (TCO), a significant vulnerability is apparent. A‘money mule’ is a person hired by a TCO for his or her unblemishedidentity and separation from the TCO.

Contrast the problem faced by hackers trying to break into computersunder the control of someone else, to that faced by a TCO hackingcomputers entirely under its control. Manipulation of, for example,internet poker games for the purpose of laundering money becomesastonishingly easy.

Consider a criminal enterprise (CE) seeking to offer untraceableelectronic banking services to terror and crime organizations (TCOs).The CE uses technology and carefully-designed business processes toexploit the natural properties of internet poker in order to move vastsums of money among thousands of poker accounts in many differentcountries. The most basic operation performed by the CE is thecorruption of internet poker games using 4-way collusion for the purposeof moving money from two poker accounts to two other poker accountsplaying at the same virtual poker table.

Regulators in jurisdictions where internet poker is legal such as theIsle of Man, the Alderney Islands, and Gibraltar claim that by recordinghand histories and the identities of the players at any virtual pokertable, counter-terrorism investigators can determine connections betweendonors and recipients. They also claim that it is possible to determinethe physical location (geo-location) of an online poker player. Theyfurther claim that automated anti-collusion detection systems canreliably find instances where two or more players are sharing cardvalues. The fact is, the CE can breach any anti-collusion or globalpositioning system (GPS) or internet protocol (IP) address geo-locationsystem currently used by internet poker websites.

The following scenario illustrates just one example of how the CE mightuse weaknesses in the current internet poker business model to implementa large scale money laundering operation. However, it should beappreciated that the concepts described herein are applicable to a widevariety of online activities in which the actual identity and/orlocation of a user is needed for verification, tracking and/ormonitoring purposes.

The CE business process assigns any number of ‘money mule’ accounts topoker games in groups of four. This means that 4 of the 9 to 10 seats ata compromised virtual poker table are CE mule accounts. The mules neveractually play the games and may not even be privy to the CE'sactivities. Experts at CE remotely login to the mules' computers andplay games under the identities of those mules. They can also transfermoney to and from the mule bank accounts and read emails sent to themules by the poker website.

For typical money transfers, two of the mule accounts are designated asdonors and two are recipients. The CE ‘players’ use technology thatallows them to see each others hole cards in an undetectable manner thatdoes not distract from the game in any way. The players can remainfocused on the game ensuring, over time, that money moves in the rightdirection.

Further, specially-designed software used by the CE to generate thefour-player games can easily and reliably defeat any automatedanti-collusion technique employed by the poker websites or theirregulators. This is done by providing each mule with two low-endcomputers. One computer is ‘clean’ and the other is ‘corrupt’. The cleancomputer runs the internet poker client software. It contains neitherthe hack software nor the support software for remote access systems. Ifregulators require GPS verification of the computer's location, thenthis technology is included with the clean computer. Since the cleancomputer does not run any illicit software and possesses the requiredGPS technology (if it were required), the poker client software willnever detect anything suspicious thereby enabling the CE to easilyovercome geo-location requirements imposed by the poker websites andtheir regulators.

The corrupt computer runs all hack software, remote access supportsoftware, and the software for a frame grabber that in oneimplementation grabs the output signal from the clean computer's SVGAport. Keyboard and mouse commands—processed using standard drivers—aresent from the corrupt computer to a clean computer's USB port.

A minimum of three critical software processes are run on the corruptcomputer. The first is an encrypted, private, CE-operated communicationstool. The second is the ‘card clipping’ software that captures an imageof the player's hole cards, transmits it to the CE's server, andretrieves the images of the other three players' hole cards. A private,CE-controlled instant messaging system is built into the card clipapplication. The third process allows CE ‘players’ (AKA ‘soldiers’) tocontrol the corrupt and clean computers from anywhere in the world—againin an undetectable manner.

The CE uses state-of-the-art technology to manage communication among CEsoldiers and the CE leadership. Soldiers can play poker on any computerlocated anywhere on the internet using a device called a ‘remote accessappliance’ (e.g. Bomgar). Appliances such as the Bomgar device allow theCE to control thousands of remote computers without risking discovery bycounter-terrorism investigators. By using a hardware appliance, the CEavoids using commercial remote access services such as GoToMyPC.com thatcould cooperate with law enforcement or counter-terrorism authorities.And, while all communications between CE leaders, soldiers, and cellleaders are undetectable, they are nonetheless encrypted and always sentvia means under the complete control of the CE.

Custom server-side software is used to manage all administrative taskssuch as maintaining login credentials for mule accounts, internalcommunications, game-in-progress data distribution, and generating andmanaging the games. An electronic database is used to persist data.

In one example, the CE business process starts with customer operative Ahiring a money mule B. Mule B is instructed to open a conventional bankaccount and deposit money provided by operative A. Mule B is theninstructed to open one or more internet poker accounts, using the mule'slegitimate identity and bank account. The same process occurs betweenmule C and customer operative D in the country where the operative'smoney is to be transferred. Once the accounts are opened and the mules'identities are verified to the satisfaction of the poker website, mulesB and C give the online logins for their bank account, the pokeraccount(s), and email account associated with the poker websites tocustomer operatives A and D, respectively. Operatives A and D then sendthe logins to CE personnel using a privately operated, encryptedcommunication system. Finally, customer operatives A and D provide mulesB and C with specially prepared computer hardware and software systems.Once these procedures are complete, the mules just need to keep thecomputers running and maintain connectivity to the internet. Mules areusually used indefinitely by the customer operatives and will likely bekept “in the dark”, so they may or may not have knowledge of the CE'soperations, and may or may not be paid for their services. And if A andB or C and D are compromised, law enforcement or counter-terrorismauthorities will have no way of linking operatives A and D because theCE has procedures in place to alter personnel distribution andimmediately relocate servers and other traceable technology.

The possibility of money laundering with internet poker presents lawenforcement and counter-terrorism authorities with a dilemma. If a moneymule is discovered, he or she is unlikely to know anything useful beyondpossibly identifying their TCO contact. Furthermore, since the muledoesn't actually play poker, he or she will have no knowledge of theother players at the virtual poker tables. This ensures that authoritieswill likely bear the expense of an international investigation involvingseveral different foreign jurisdictions.

As this scenario illustrates, current technology and regulatory schemesare not sufficient to keep TCOs from exploiting internet poker. Twoinnovations are required: (1) a way to remove substantial control ofcomputer hardware and software from an internet poker player whileallowing the computer equipment to remain in the possession of theplayer, and (2) a way to reliably confirm the player's true identityand/or physical location.

SUMMARY OF THE INVENTION

The present subject matter seeks to eliminate or reduce at least some ofthe problems described above, in some aspects by introducing anindependent third party responsible for verifying a person's trueidentity in a specific, real-world location and in the physical presenceof the verified person. The provider of the third party services mayoffer infrastructure and procedures so secure and reliable that it canassume responsibility for accurate identification, partly relievingonline banks, retailers, and operators of sensitive government andcorporate networks of liability burden. In effect, the purpose of theinvention is to create the conceptual equivalent of a ‘website SSLcertificate’ for human beings.

According to first aspects of the invention, a computer-implementedmethod may provide third party user authentication for a first partyuser attempting to access a network service provided by a second party.Such methods may include one or more of registering a network service;registering a user device with a first user; generating a firstencryption key associated with the user device; receiving a firstencrypted check message from the user device; receiving a secondencrypted check message from the network service; decrypting the firstcheck message and the second check message using the first encryptionkey; comparing timestamps included in the first check message and thesecond check message; authorizing at least one of a network access or atransaction between the first user and the network service based atleast in part on a difference between the timestamps being less than athreshold; and/or sending an authorization message to the networkservice based on said authorizing.

In embodiments, registering the user device with the first user mayinclude acquiring biometric data of the user via an agent of the thirdparty; storing the biometric data on the user device as biometricreference data using computer instructions and an encryption keyprovided by the third party; reacquiring the user's biometric data via atest scan using a biometric scanner of the user device; verifying thatthe biometric reference data is accurately stored on the user device bycomparing the test scan to the biometric reference data; and/or causingthe user device to delete said computer instructions based on theverification that the biometric reference data is accurately stored onthe user device.

In embodiments, the network service may include a computer network ofthe second party, and the second encrypted check message may be based atleast in part on a communication between the user device and aworkstation connected to the computer network.

In embodiments, the network service may include a network bankingwebsite, and the second encrypted check message may be based at least inpart on a communication between the user device and a workstationconnected to the network banking website.

In embodiments, the network service may include an online purchase, andthe second encrypted check message may be based at least in part onconfirming the identity of a person operating the user device.

In embodiments, registering the user device with the first user mayinclude storing biometric data of the first user on the user device asbiometric reference data using computer instructions provided by thethird party. The first check message may be sent from the user devicebased at least in part on a comparison between current biometric dataand the biometric reference data; and/or the second check message may besent based at least in part on the comparison between current biometricdata and the biometric reference data.

In embodiments, the user's biometric data may not be communicated to, ormaintained by, the network service or the third party.

In embodiments, registering the user device with the first user mayinclude configuring a one-time password service associating the firstuser and the user device using computer instructions provided by thethird party, at least one parameter used by one-time password servicebeing stored locally on the user device and inaccessible by the thirdparty. The first check message may be sent from the user device based atleast in part on an identity check performed via the user device usingthe one-time password service; and/or the second check message may besent based at least in part on the identity check.

In embodiments, the second check message may be based at least in parton the network service confirming that the user device is authorized toaccess the network service.

According to further aspects of the invention, a method of registering asecure identity device may include one or more of receiving anauthorization proof message from an authorizing agent, the authorizationproof message including an authorization device identifier, locationinformation, and a timestamp; receiving a composite proof message viathe user device, the composite proof message including a unique deviceidentifier, an encrypted version of the authorization proof message, anda timestamp; generating a first encryption key associated with the userdevice based at least in part on a comparison of the authorization proofmessage and the composite proof message; and/or sending the firstencryption key to at least one of the authorizing agent and the userdevice.

Embodiments may include receiving a first encrypted check message fromthe user device; receiving a second encrypted check message from anetwork service provider; decrypting the first check message and thesecond check message using the first encryption key; comparingtimestamps included in the first check message and the second checkmessage; authorizing at least one of a network access or a transactionbetween the first user and the network service provider based at leastin part on a difference between the timestamps being less than athreshold; and/or sending an authorization message to the networkservice provider based on said authorizing.

In embodiments, the first and second check messages may be based atleast in part on a biometric user confirmation performed by the userdevice.

In embodiments, comparing the authorization proof message and thecomposite proof message may include comparing the timestamp informationand decrypting the encrypted authorization proof message.

Embodiments may include authorizing biometric data to be stored on theuser device based at least in part on confirmation that the user deviceis located in proximity to the authorizing device.

According to further aspects of the invention, a secure identity userdevice may include one or more of a processor, and memory includinginstructions configured to establish local communication with anauthorization device; receive an authorization proof message from theauthorization device, the authorization proof message including anauthorization device identifier, location information, and a timestamp;generate a composite proof message including a unique user deviceidentifier, an encrypted version of the authorization proof message, anda timestamp; send the composite proof message to an authorizationservice; receive a first encryption key via at least one of theauthorization device and the device authorization service; and/orauthenticate the user device with a second party service provider.Authenticating the user device with the second party service providermay include encrypting a first check message using the first encryptionkey; encrypting a second check message using the first encryption key;sending the first check message to the authorization service; and/orsending the second check message to the service provider. Inembodiments, the first check message and the second check message mayinclude the user device identifier and a timestamp.

Embodiments may include computer instructions configured to acquirebiometric data of the user based at least in part on local communicationwith the authorization device; store the biometric data on the userdevice as biometric reference data using first computer instructions andan encryption key provided by the device authorization service;reacquire the user's biometric data via a test scan using a biometricscanner of the user device; verify that the biometric reference data isaccurately stored on the user device by comparing the test scan to thebiometric reference data; and/or delete said first computer instructionsbased on the verification that the biometric reference data isaccurately stored on the user device.

In embodiments, the first and second check messages may be based atleast in part on a biometric user confirmation performed by the userdevice using the biometric reference data.

In embodiments, the biometric data may be stored on the user devicebased at least in part on confirmation that the user device is locatedin proximity to the authorizing device.

In embodiments, the biometric reference data may be configured such thata user of the user device cannot change the biometric reference datawithout participation of the device authorization service.

In embodiments, a data delete circuit may be configured to automaticallyrender inoperable the biometric reference data based on physicaltampering with the user device.

According to further aspects of the invention, a tamper-resistant systemfor engaging in an online activity, while verifying the identity and/orphysical location of a user, is provided. The system may include acasing, with a microprocessor and/or a memory housed in the casing.

The system may include a biometric information identification moduleconfigured to obtain, store and/or transmit biometric identificationdata, e.g. for one or more distinct user(s) of the system. Inembodiments, the biometric information identification module may includea biometric scanner, such as, for example, a fingerprint scanner, aretina scanner, a DNA scanner, etc.

In embodiments, the microprocessor may be configured to obtain biometricidentification information of the user, for example, during aconfiguration of the system to the user, and/or during an initiation ofan online activity.

In embodiments, the user biometric identification data may includeencrypted biometric reference data that is stored, for example, duringan initial configuration of the system to the user. The memory mayinclude a volatile, or non-volatile memory, for storing the encryptedbiometric reference data, which may be configured to automatically erasestored data when power to the memory is reduced or lost.

In embodiments, the system may include a tamper-detection moduleconfigured to detect tampering with, for example, the casing and/orconnectors of the casing. The tamper-detection module may include, forexample, one or more energized anti-tamper electrical circuits thatbecome de-energized when a switch is opened or a circuit conductor isbroken in response to an attempt to open the casing, or the like.

In embodiments, the system may include a power supply, which mayinclude, for example, a rechargeable battery. The power supply mayinclude separate power sources for providing power to various componentsof the system, e.g. to the storage memory, the microprocessor and/or thetamper-detection module. In embodiments, the power source may include arechargeable battery, separate from a main power supply, therechargeable battery powering the anti-tamper electrical circuits and/ora memory storage device.

Embodiments may also include a controller module containing automatedinstructions for monitoring the status of the anti-tamper electricalcircuits and for erasing user identification or other data, such as theencrypted biometric reference data, from memory when thetamper-detection module detects tampering with the system, e.g. when anyone of the plurality of anti-tamper electrical circuits is de-energized,or when the power level of the rechargeable battery or other powersource falls below a certain threshold.

A location module may also be provided that is configured to receivenavigation signals broadcast from navigation transmitters, and/or toprovide location information of the system. The location module mayinclude, for example, a GPS receiver, GPS processing module, and/or GPSlocation transmitter. In embodiments, the processor is may be configuredto periodically transmit location information of the system.

The system may be configured to periodically transmit biometricidentification data while the user is engaging in an online activity,and to erase the user biometric identification data from memory basedon, for example, a detected tampering with the casing or connectors ofthe casing, and/or a power deficiency from the power supply.

The system may be configured for engaging in online activities, such asonline gambling, and periodically transmitting the location informationof the system and/or the biometric identification data while the user isengaging in the online activity. Accordingly, if the biometric, or otherpertinent data, is deleted or disturbed during the online activity, theactivity may be terminated by the sponsor/host.

According to embodiments, the system may include certain non-detachablecomponents (i.e. components that are fixedly integrated with the casingand/or monitored for continuous connection by the tamper-detectionmodule) such as a video screen, a keyboard, a cursor control device, avolatile and/or non-volatile memory, a central processing unit, anetwork controller, a navigation system, and/or a biometric scanningdevice.

According to further aspects of the invention methods of providing asecure online service may include one or more of storing biometricreference data of a user in a database; receiving a request to providethe online service to the user; while providing the online service tothe user, periodically receiving current biometric data of the user;comparing the current biometric data of the user to the stored biometricreference data; and/or terminating the online service if (a) the currentbiometric data does not correspond to the stored biometric referencedata, or (b) if the current biometric data is not received after apredetermined period of time.

Methods may also include receiving current location information from theuser, and/or comparing the location information to predeterminedgeographical areas in which the online service may be provided beforeproviding the service.

Embodiments may also include terminating the online service if thecurrent location information changes to an area in which the onlineservice is prohibited.

In embodiments, the online service may include transferring fundsbetween different users, and/or the online service may include onlinegambling, such as online poker.

According to further aspects of the invention methods of engaging in asecure online service may include one or more of configuring a securedevice to include biometric reference data of a user; sending a requestfrom the secure device for the user to engage in the online service;while engaging in the online service, periodically sending at least oneof the biometric reference data and current biometric data of the userto a service provider; and/or deleting the at least one of biometricreference data and current biometric data from the secure device if atleast one of the device is tampered with and if a power source of thedevice falls below a required level.

Embodiments may also include sending current location information fromthe device when requesting the online service or while engaging in theonline service.

In embodiments, the current location information may include, forexample, a GPS location.

In embodiments, the online service may include transferring fundsbetween different users, and/or the online service may include onlinegambling.

Additional features, advantages, and embodiments of the invention may beset forth or apparent from consideration of the following detaileddescription, drawings, and claims. Moreover, it is to be understood thatboth the foregoing summary of the invention and the following detaileddescription are exemplary and intended to provide further explanationwithout limiting the scope of the invention claimed. The detaileddescription and the specific examples, however, indicate only preferredembodiments of the invention. Various changes and modifications withinthe spirit and scope of the invention will become apparent to thoseskilled in the art from this detailed description.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are included to provide a furtherunderstanding of the invention, are incorporated in and constitute apart of this specification, illustrate embodiments of the invention andtogether with the detailed description serve to explain the principlesof the invention. No attempt is made to show structural details of theinvention in more detail than may be necessary for a fundamentalunderstanding of the invention and various ways in which it may bepracticed. In the drawings:

FIG. 1 illustrates an internet poker system constructed according toaspects of the invention;

FIG. 2 illustrates an internet poker appliance constructed according toaspects of the invention, where various components that may be includedin the appliance;

FIG. 3 illustrates an anti-tampering circuit for an internet pokerappliance constructed according to aspects of the invention;

FIG. 4 is a flowchart illustrating a method for verifying a poker playeridentity according to aspects of the invention;

FIG. 5 is a flowchart illustrating a method for logging on to a pokerappliance according to aspects of the invention;

FIG. 6 is a flowchart illustrating a method for maintaining a logged onstatus according to aspects of the invention; and

FIG. 7 is a flowchart illustrating a method for triggering a suicidecircuit in a poker appliance according to aspects of the invention.

FIG. 8 illustrates an exemplary process for authenticating a secureidentity user device according to aspects of the invention;

FIG. 9 illustrates an exemplary process for initializing a secureidentity user device according to aspects of the invention;

FIG. 10 illustrates an exemplary process for data handling andcryptography procedures using a secure identity user device according toaspects of the invention;

FIG. 11 illustrates an exemplary process for authenticating the user ofa remote workstation using a secure identity user device according toaspects of the invention;

FIG. 12 illustrates an exemplary process for authenticating the user ofa remote workstation using a secure identity user device that is issuedby a second party service provider according to aspects of theinvention;

FIG. 13 illustrates an exemplary use case in which a secure identityuser device is used to log into an employee's work-related networkaccording to aspects of the invention;

FIG. 14 illustrates an exemplary use case in which the secure identityuser device from FIG. 13 is also used to log into an online bankingwebsite according to aspects of the invention; and

FIG. 15 illustrates an exemplary use case in which the secure identityuser device from FIG. 13 is also used to make an online purchaseaccording to aspects of the invention.

DETAILED DESCRIPTION OF THE INVENTION

It is understood that the invention is not limited to the particularmethodology, protocols, etc., described herein, as these may vary as theskilled artisan will recognize. It is also to be understood that theterminology used herein is used for the purpose of describing particularembodiments only, and is not intended to limit the scope of theinvention. It also is to be noted that as used herein and in theappended claims, the singular forms “a,” “an,” and “the” include theplural reference unless the context clearly dictates otherwise. Thus,for example, a reference to “a server” is a reference to one or moreserver and equivalents thereof known to those skilled in the art.

Unless defined otherwise, all technical terms used herein have the samemeanings as commonly understood by one of ordinary skill in the art towhich the invention pertains. The embodiments of the invention and thevarious features and advantageous details thereof are explained morefully with reference to the non-limiting embodiments and examples thatare described and/or illustrated in the accompanying drawings anddetailed in the following description. It should be noted that thefeatures illustrated in the drawings are not necessarily drawn to scale,and features of one embodiment may be employed with other embodiments asthe skilled artisan would recognize, even if not explicitly statedherein. Descriptions of well-known components and processing techniquesmay be omitted so as to not unnecessarily obscure the embodiments of theinvention. The examples used herein are intended merely to facilitate anunderstanding of ways in which the invention may be practiced and tofurther enable those of skill in the art to practice the embodiments ofthe invention. Accordingly, the examples and embodiments herein shouldnot be construed as limiting the scope of the invention, which isdefined solely by the appended claims and applicable law. Moreover, itis noted that like reference numerals reference similar parts throughoutthe several views of the drawings.

The figures and flowcharts describe an embodiment of the invention thatapplies to the online version of poker. In this description, the term‘internet poker appliance’ is a particular computing device with specialfeatures specific to poker in addition to the features of the invention.The combination of computer memory for storing the encrypted biometricreference, a control module containing the software that manages thestoring and destruction of the encrypted biometric reference data,anti-tamper circuits and switches, and a power source for maintainingboth memory and control module state is referred to as a ‘suicidecircuit’.

FIG. 1 shows one example of an internet poker appliance (5) according toaspects of the invention. As shown in FIG. 1, a tamper-resistant systemmay be provided for playing internet poker, including integratedgeo-location and biometric player identification. In addition to thetypical components found in state of the art computing devices, theinternet poker appliance in this embodiment incorporates a biometricscanner fingerprint reader (10) and circuitry for receiving signals fromsatellite or terrestrial radio navigation transmitters (15). One or moreindependent third party identity management providers (20) confirm theidentity of the poker appliance owner-user, manage the acquisition ofthe user's biometric reference data, and store and distribute theencryption keys required to encrypt and decrypt the biometric referencedata. In embodiments, the biometric reference data may include biometricscan data, stored inside the computing device, against which allsubsequent identity verification biometric scans may be compared. Inembodiments, the internet poker website infrastructure (25) may beresponsible for verifying the identity and location of the player bothat log-in and during play, as well as providing/hosting the poker orother online activity.

As discussed further herein, internet poker appliance (5) may include‘suicide circuits’ connected to all significant fasteners. For example,laminated sheets with integrated ‘suicide circuit’ conductors may befirmly affixed to the inside surfaces of major enclosure panels toprevent access to interior hardware by cutting. Any break in any circuitwill cause a ‘Suicide Circuit Controller’ to erase biometric referencedata stored in a volatile or non-volatile memory (15).

FIG. 2 shows a schematic diagram including possible hardware andsoftware components as may be included in internet poker appliance (5).As discussed herein, various of the listed components may be includedwithin, and/or integrated with a tamper-proof or resistant case. Inembodiments, exemplary user systems such as the internet poker appliance(5) may be precluded from including one or more of the following, USBports, infrared ports, firewire ports, modems, video ports with input,additional communications ports of any kind, CD-RW, DVD-RW storagedevices, memory device ports (e.g. flash memory cards), etc. to enhancethe security of the system. Elimination of communications ports andother similar components found in conventional computing devices mayhelp to ensure that a person cannot modify the device software orhardware.

As also shown in FIG. 2, features related to the function of internetpoker appliance (5) that may be included in a tamper-proof casing (52),may include a battery (40) to power the suicide circuits and/or memory,a suicide circuit control module (45), and memory 50 for storingbiometric reference data (50). One or more microprocessors andassociated parts (not shown) may also be included in the casing 52. Thebattery (40) may be the main stored power source for the entire deviceor a separate battery dedicated to the maintenance of the suicidecircuit components and/or memory. The suicide circuit control module(45) may contain software, firmware and/or hardware required to writenew biometric data into memory (50) and to decide if stored biometricdata should be destroyed in response to an attempt by a person to tamperwith the device, the expiration of a specified time span, the batterypower level dropping below a specified threshold, or any other criteria.The memory used to store the encrypted biometric reference data may bevolatile or non-volatile but is dedicated to the single purpose ofstoring biometric data. In embodiments, data may be erased, for example,by positively directing a delete function, e.g. to non-volatile memory,or powering off volatile memory.

The internet poker appliance (5) may be configured, e.g. by hardware orfirmware, to obtain biometric identification information of the user,for example, during a configuration of the system to the user, and/orduring an initiation of an online activity. For example, the system maybe configured such that a vendor selling the system assists in thecreation of the user profile and corresponding biometric identificationinformation, e.g. by providing necessary encryption keys etc. Thus, thesystem may be coded to a particular user when purchased, and may beprevented from being used by others.

A location module may also be provided in the internet poker appliance(5) that is configured to receive navigation signals broadcast fromnavigation transmitters, and/or to provide location information of theinternet poker appliance (5). The location module may include, forexample, a GPS receiver, GPS processing module, and/or GPS locationtransmitter. In embodiments, the processor is may be configured toperiodically transmit location information of the internet pokerappliance (5) with, or without biometric identification data, while theuser is engaging in an online activity.

According to embodiments, the internet poker appliance (5) may includecertain non-detachable components (i.e. components that are fixedlyintegrated with the casing and/or monitored for continuous connection bythe tamper-detection module) such as a video screen, a keyboard, acursor control device, the volatile and/or non-volatile memory, thecentral processing unit, a network controller, the navigation system,and/or the biometric scanning device.

FIG. 3 shows an exemplary anti-tamper systems that may be employed in anembodiment of the invention. In embodiments, electrical circuitryassociated with an anti-tamper system may be connected to the suicidecircuit control module (45). If an anti-tamper mechanism is breached,the suicide circuit control module (45) may receive notification of theevent and in response, destroy the encrypted biometric reference datastored in the suicide circuit dedicated memory (50). One anti-tampertechnique may involve electrical conductors attached in a wide-areapattern (60) to the inside of the computing device enclosure(s) (55). Ifa person or person using cutting devices or other tools attempts to cutthrough the enclosure, the electrical circuit formed by the conductorswill be broken, thus indicating to the suicide circuit control module(45) that the biometric reference data should be destroyed. Switchesattached to the internet poker appliance enclosure fasteners (65) areanother possible anti-tamper mechanism connected to the suicide circuitcontrol module (45). For example, the suicide circuit control module(45) may be configured such that, if any attempt is made to remove thefastener (65), a switch is opened and the biometric reference data, orother data stored in the memory, is deleted.

As one of skill in the art can appreciate, many other anti-tampertechnologies and techniques may be employed that provide a signal to thesuicide circuit control module (45) indicating the status of theanti-tamper system(s).

Explanation of Flowcharts

FIG. 4 shows a process for an independent third party verifying theidentity of the computing device user, acquiring the reference biometricdata, and encrypting and storing the biometric reference data in thecomputing device suicide circuit memory. All steps in FIG. 4 may involveinternet communication through a ‘virtual private network’ or VPN.

The term ‘independent third party’ refers to a company or person notaffiliated in any way with the user-owner of the special computingdevice. An independent third party (ITP) may or may not be affiliatedwith the provider of a regulated internet service such as internetpoker.

In the presence of the computing device user-owner, the ITPrepresentative turns on the special computing device (70). The ITPrepresentative then navigates to a website authorized by the specialcomputing device operating system software. From the authorized website,the ITP representative downloads and launches software designed toacquire, encrypt, and store the user-owner's biometric reference data(75).

The ITP representative asks the device user-owner for proof of his orher identity. Proof may be any government-issued document such as adriver's license or passport. Using the proof document, the ITPrepresentative verifies the user-owner's identity (80).

The ITP representative then directs the user-owner to scan his or herbiometric reference data into the computing device using the scanningcomponent built into the special computing device (85).

Using the software downloaded in step 75, the ITP encrypts the scannedbiometric reference data using encryption keys generated by the providerof the regulated services or by another entity. It is understood thatany encryption keys are stored outside the special computing device(90).

Once encrypted, the ITP software is used to write the encryptedbiometric reference data and encryption keys into the memory controlledand monitored by the suicide circuit control module (95).

The ITP representative then directs the computing device user-owner toverify the encrypted and stored biometric reference data by performing atest scan which involves acquiring new biometric data for comparison tothe encrypted and stored data (100).

The ITP software retrieves the encryption keys used to encrypt thebiometric reference data from the regulated service provider (e.g. pokerwebsite) server the computing device memory (105).

The ITP software reads encrypted biometric reference data from thecomputing device memory (110).

Using the retrieved encryption key, the ITP software decrypts thebiometric reference data (115).

The ITP software compares the test scan biometric data to the biometricreference data stored in the computing device memory (120).

If the two biometric data sets match, the ITP removes the biometric datascanning, encryption, and recording software from the user-owner'scomputing device (125) and returns the computing device to theuser-owner (130).

If the biometric data sets do not match, the ITP repeats the processfrom either the initial scan (85) or the test scan (100) steps.

It should be appreciated that various encryption techniques may be usedto support the concepts of the invention, and that such encryptiontechniques may involve providing, accessing, and/or storingencryption/decryption keys to and/or from various sources.

FIG. 5 shows a process for a computing device user-owner logging intoclient software offering controlled, restricted, or regulatedfunctionality. The term ‘internet service provider’ refers to a businessoffering controlled, restricted, or regulated functionality through theinternet and where the interface with the user-owner of the specialcomputing device is software that runs on the special computing device.The client interface software may be hosted in an internet browser ormay run within the computing device operating system.

To begin, the user-owner turns on the special computing device (135).

The user-owner then launches the client software provided by an internetservice provider (e.g. poker website) offering controlled, restricted,or regulated functionality. (140).

When prompted by the client software, the user-owner enters a user ID,personal identification code, or other identification token Into thecomputing device (145).

When prompted, the user-owner scans his or her comparison biometric datainto the computing device using the built-in biometric scanner component(150).

The internet service provider client software checks computing device(suicide circuit) memory for the presence of encrypted biometricreference data (155).

If no biometric reference data is detected, the user-owner must returnthe computing device to an independent third party for identityre-verification and restoration of the biometric reference data (160).

If valid biometric reference data is found, the internet serviceprovider client software reads the encrypted biometric reference datastored in the computing device (suicide circuit) memory (165).

The internet service provider client software retrieves the encryptionkeys from the internet service provider data store or from the datastore of a third party the computing device memory (170).

The internet service provider client software decrypts the biometricreference data using the encryption keys retrieved in step 170 (175).

The internet service provider client software compares the comparisonscan from step 150 to the decrypted biometric reference data (180).

If the comparison biometric data does not match the reference data, theuser-owner is returned to step 150.

If the comparison is successful, the internet service provider clientsoftware verifies the physical location of the special computing device.

The special computing device receives geo-location signals fromsatellite(s) or ground-based radio navigation transmitters (185).

The internet service provider client software compares geo-locationcoordinates received in step 185 to an off-site database of legaljurisdictions for the controlled, restricted, or regulated activity(190).

If the received geo-location coordinates are outside a legaljurisdiction where engaging in the controlled, restricted, or regulatedactivity is authorized, the user-owner is returned to step 145.

If the received geo-location coordinates are inside a legal jurisdictionwhere engaging in the controlled, restricted, or regulated activity isauthorized, the user-owner is allowed by the internet service providerclient software to access restricted data or engage in a controlled,restricted, or regulated activity (e.g. play poker for real money)(195).

FIG. 6 shows the process for a user-owner to remain logged into clientsoftware that allows the user-owner to engage in a controlled,restricted, or regulated activity.

When the user-owner begins using the client software, a timer is startedby the client software with a fixed time duration value (198).

While the user-owner uses the client software, a time increment issubtracted from the timer value of step 198 (200).

The time decay loop of step 200 repeats until the fixed time duration ofstep 198 has expired.

Upon expiration, the client software prompts the user-owner to enter auser ID, personal identification code, or other identification tokenInto the computing device (205).

When prompted by the client software, the user-owner scans his or hercomparison biometric data into the computing device using the built-inbiometric scanner component (210).

The internet service provider client software checks computing device(suicide circuit) memory for the presence of encrypted biometricreference data (215).

If no biometric reference data is detected, the user-owner must returnthe computing device to an independent third party for identityre-verification and restoration of the biometric reference data (220).

If valid biometric reference data is found, the internet serviceprovider client software reads the encrypted biometric reference datastored in the computing device (suicide circuit) memory (225).

The internet service provider client software retrieves the encryptionkeys from the internet service provider data store or from the datastore of a third party the computing device memory (230).

The internet service provider client software decrypts the biometricreference data using the encryption keys retrieved in step 230 (235).

The internet service provider client software compares the comparisonscan from step 210 to the decrypted biometric reference data (240).

If the comparison biometric data does not match the reference data, theuser-owner is returned to step 210.

If the comparison is successful, the internet service provider clientsoftware verifies the physical location of the special computing device.

The special computing device receives geo-location signals fromsatellite(s) or ground-based radio navigation transmitters (245).

The internet service provider client software compares geo-locationcoordinates received in step 185 to an off-site database of legaljurisdictions for the controlled, restricted, or regulated activity(250).

If the received geo-location coordinates are outside a legaljurisdiction where engaging in the controlled, restricted, or regulatedactivity is authorized, the user-owner is returned to step 205.

If the received geo-location coordinates are inside a legal jurisdictionwhere engaging in the controlled, restricted, or regulated activity isauthorized, the user-owner is allowed continued access to restricteddata or continued ability to engage in a controlled, restricted, orregulated activity (e.g. play poker for real money) (255).

FIG. 7 shows a process for the destruction of the biometric referencedata by the suicide circuit control module.

The suicide circuit controller software checks the controller batterypower level (260).

If the battery power level is above a predetermined threshold, thesuicide circuit controller software ensures that current is flowingthrough all anti-tamper circuits (270).

If either the battery power level falls below the predeterminedthreshold or any anti-tamper circuit indicates zero current flow, thesuicide circuit controller software will erase the encrypted biometricreference data stored in the suicide circuit controller memory (265).Such functionality may be provided in numerous ways known to those ofskill in the art, depending on the type of memory used.

Embodiments of the present invention can include systems forimplementing the described methods, as well as computer-readable storagemedium coded with instructions for causing a computer to execute thedescribed methods. For example, server systems including at least aprocessor, a memory and an electronic communication device, may beconfigured to receive, identify, respond to and/or act on a request,such as those described herein, received over a network, such as theInternet. Such servers may be operated by service providers including,for example, online casinos, government monitoring agencies and/oridentity authenticators.

Requests to engage in online activities such as gambling may originatefrom, for example, a client device according to aspects of theinvention, via various networks. Such networks may include any number ofcommunication components including wired, cellular, satellite, opticaland/or other similar communication links.

For computer intranet and internet transactions, including but notlimited to those previously described, aspects of the present disclosuremay replace the use of passwords and certain two-factor identityverification methods in with a single, universally trusted mechanism.Certain exemplary systems described herein may allow a person to havetheir true identity verified by an independent third party in areal-world location. By ensuring that only a third party agent cancollect the biometric reference of the identified person and storingthat reference data on the identified person's secure computing device(e.g. smartphone), it becomes prohibitive for the identified person totransfer their device to any other person. This may ensures that theperson using the device for sensitive internet or intranet operations isthe correctly verified biological entity associated with the device andno other.

To further harden the system, a mechanism is provided that prevents anymodification of sensitive data stored on a secure identity device (e.g.smartphone). Should a secure identity device be lost and subsequentlytampered with, a ‘suicide circuit’ tamper prevention system erases allsensitive data stored on the device including the owner's biometricreference data and internal encryption keys.

In embodiments, a personally owned security device, which may beintegrated into a smartphone, may be used to make purchases online,engage in online banking transactions, and gain authorized access tohighly sensitive government or corporate networks with only a singlethird party ‘real-world’ identity verification event required toinitialize the device. This may enable a single factor, universallytrusted identity verification for any computer network login or internettransaction.

To illustrate, consider a case where an employee contractor works on amilitary base and requires access to a base computer network bothon-premises and via a virtual private network (VPN) when traveling. Thecontactor purchases a new smartphone with the security featuresdescribed herein and wants to use the smartphone device to log in to thebase computer network either on-premises or through the VPN. Since thephone is personally owned, the contractor may also want to use thedevice to make secure online purchases and engage in online bankingtransactions. The contractor may want to review his or her electronichealth records which are stored with a health management company.

Each of the online entities requiring reliable identity verification areindependent of one another and use a single third party service toconfirm a user's identity. In the illustration above, the militaryauthorities will likely require that they be agents of the third partyverification service for the purposes of device initialization throughreal-world identity verification. Being a military authority, thisidentity verification may also be acceptable to online financialinstitutions, online retailers, government tax authorities, and,ultimately, political elections officials. Stated another way,businesses and government agencies may trust the identification accuracyof the military authorities.

Once a person's secure identity device (e.g. smartphone) is initializedwith a biometric reference linking the biological person to the device,any transaction requiring reliable identity verification may becompleted with a single biometric scan which is compared to thereference stored inside the device. In embodiments, agents of the thirdparty cannot access, change, or otherwise have knowledge of anysensitive information, including encryption keys, at any point during orafter the real-world identity verification procedure.

This and other identity verification scenarios may be widely enabled byaspects of the present subject matter, using a single, non-transferablebiometric scan. Various observers may perceive the degree of advantageof such a system over existing methods differently but for the mostidentity and security critical online activity, voting in politicalelections, a system like the one described herein is likely required.

Two aspects relevant to the present subject matter are privacyprotection and data dispersion.

Although the independent third party is responsible for verifying humanidentities in some embodiments, in at least some implementations, thethird party system does not store any information about the verifiedperson, e.g. no names, addresses, phone numbers, email addresses and/ortax ID numbers are stored on any third party infrastructure. Allpersonal data may be stored in the secure identity device and protectedby the ‘suicide circuit’ anti-tamper system. In some embodiments, onlythe secure identity device public serial number and a private encryptionkey, issued by the third party during the real-world deviceinitialization and identity verification process, need be managed by thethird party. This design removes or significantly reduces any incentivefor hackers to target the third party.

Data dispersion is another feature of the present disclosure designed todeter hackers. In embodiments, most personal data is stored ‘at rest’only inside the data owner's secure identity device. This ensures thathackers never have a single, aggregated database to target. The universeof all users' data is dispersed across thousands or millions of devices(rather than maintained in a single target). In those cases where datais naturally stored in aggregated databases, such as with electronichealth records, every data unit may be encrypted with the data owner'sencryption key when at rest or in transit. This ensures that if theaggregated database is ever compromised, it will never be useful tohackers since each data unit is encrypted with a different key and thosekeys exist in only two places: the data owner's secure identity deviceand the independent third party infrastructure. Data unit encryptionkeys are never provided to any outside company or government entity,including those that aggregate many data units in a single database.Various embodiments related to these objects are discussed further belowwith reference to FIGS. 8-15.

As shown in FIGS. 8 and 9, a security solution according to certainaspects of the invention may include a mobile secure identity device(SID) 301, a mobile authorization device (ASID) 401, and cryptographicprocessing infrastructure 500 that enable a device to be securely linkedto a verified user 300.

The SID 301 contains a user's biometric reference data (referencefingerprint, iris or retina scan) and other vital data that only anauthorized third party agent 400 can initially collect. The SID 301 isequipped with ‘Suicide Circuit’ technology to eliminate the threat ofhardware hacks.

The ASID 410 is used by third party agents to collect the user'sbiometric reference and may be equipped with a GPS receiver and SuicideCircuit technology. The authorization procedure involving the ASID isperformed only one time for a user, such as when the user purchases oris assigned the SID 301, which may include when an employee isin-processed by a second party employer/agency.

Cryptographic processing infrastructure 500 is operated on behalf ofvarious second parties 600. The third party infrastructure enablescomprehensive, fully automated verification services. By design, neitherthe first party user/employee 300 nor second party (e.g. service ornetwork operator) 600 has access to any part of the third partyinfrastructure except through the outward—facing application programminginterface (API) 501.

Only an agent 400 of the third party can collect the biometric referenceand any attempt to tamper with the hardware will neutralize the SID 301.

As shown in FIG. 8, the ‘First Party’ consists of a human being (person)300 and SID 301. The person 300 is ‘biometrically bound’ to a single SID301 via a biometric scanner built into the SID 301. The person has averified identity confirmed by a conventional authority such as agovernment driver's license issuer or government tax agency. Each SID301 has one and only one biometrically bound user 300 and the devicememory contains a biometric reference against which future biometricscans are compared when verifying the device user person's identity. Thedevice memory may also contain sensitive personal data such as creditcard and bank account numbers, tax identification number(s), health caredata, and other highly sensitive information. Finally, the device memorycontains one or more encryption keys, at least some of which may beissued by the independent third party cryptographic processinginfrastructure 500.

The human person 300 user may be associated with the SID 301 and may beone or more of the following: consumer of online products and services;employee and/or user of a second party 600 (which may use the SID 301for logging into second party web pages or networks; a taxpayer; apatient in an electronic health care ecosystem; a participant in anyother activity requiring reliable verification of the first party SID301 owner-user's true identity.

The SID 301 may be a mobile computing device as described herein, andmay be connected to the internet or other networks, containing abiometric scanner, both volatile and non-volatile memory, anti-tampertechnology, and one or more encryption keys. The device memorycomponents may contain the encryptions keys, the reference datarepresenting the SID owner-user's 300 biometric definition against whichevery subsequent biometric scan may be compared, the first partyowner-user's 300 sensitive personal data, and other data as required.The relationship between the SID 301 and its owner-user 300 may beone-to-one at any given time but, in some examples, it can betransferred to a new owner-user provided the ‘biometric binding’ isreset to the new user, e.g. by the third party agent 400. The SID 301may have an anti-tamper mechanism which erases all sensitive data storedin volatile or non-volatile memory if any attempt is made to open thedevice case or otherwise compromise the integrity of the interiorelectronic components. Erased data includes but is not limited to theuser-owner's biometric reference data, financial account numbers, ortaxpayer identification numbers.

The SID 301 may be capable of communicating with the public internetthrough wireless networks (WiFi) and with nearby computers usingshort-range radio signals (Bluetooth/Near Field Communications-NFC) 311.Additionally, the device runs software that manages, during an identityverification event, simultaneous communication between a second party600 website, internal network, or virtual private network and thirdparty 500 infrastructure.

The ASID 401, may include many similar features to the SID 301, such asa network communication link, a GPS receiver and other components andbehaviors described for the ‘owner-user’ SID 301, as well as a temporarysoftware loading and unloading application that allows agents 400 of thethird party 500 to bind specific devices to specific users.

In some examples, the ASID 401 may include:

-   -   1. a Global Positioning System (GPS) or equivalent navigation        system capable of detecting the geographic coordinates of the        device, and    -   2. software that manages, during the identity verification        process, simultaneous communication between the SID 301 and the        third party 500.

As shown in FIG. 11, in one usage scenario, the SID 301 may be issued toan employee of a second party company or government agency to use as asecure login device. The device may use short-range radio signals(Bluetooth/NFC) 311 to communicate with special software running on anearby computer 610 connected to the second party's network 604, eitherdirectly or through a virtual private network.

The ‘Second Party’ 600 may be understood as the online entity with whichthe first party may interact in ways involving the exchange or transportof sensitive information through the internet; a private company orgovernment office operating secure internal networks or virtual privatenetworks (VPNs) that are reachable through or exposed to the publicinternet; or service providers in an electronic healthcare ecosystemthat utilizes the public internet to facilitate interactions betweenpatients and healthcare providers. Various second party infrastructureresources are represented in FIGS. 8 and 10-12 as resources 600, 602 and604.

The ‘Third Party Principal’ 500 may be the operator of allinfrastructure required to manage arbitrage between first and secondparties, between third party agents and first parties, etc., and may bethe principal distributor of the SID.

The ‘Third Party Agent’ 400 may be a human being that acts on behalf ofthe third party principal 500. A third party agent may be an employee ofthe third party principal 500, a contractor, an employee of a secondparty or any other human person with the authority to verify theidentity of a owner-user in coordination with the third party principal500. The third party agent 400 uses a ASID 401 to communicate with theSID 301 owned by or issued to the first party owner-user 300. A thirdparty agent verifies the identity of a owner-user 300 only while in thephysical presence of the owner-user 300. A Global Positioning System(GPS) or equivalent navigation system, incorporated into the ASID 401,ensures that the third party agent 400 can only authenticate aowner-user 300 when the SID 301 is within a specific but relativelysmall radius 401 from the third party ASID 401. The boundary 401represents, for example, the radius from a fixed latitude and longitude(GPS fix) within which the both the ASID and the SID must remain duringthe SID initialization and user authentication procedures, such asdescribed herein. Other boundary types and position determining meansare also possible, e.g. using other near field communication links, etc.In some examples, the GPS fix may be determined by the third party 500when the ASID 401 is issued to the agent 400. Before any registration orauthorization procedure begins, a GPS receiver built into the ASID 401may determine the current position of the ASID 401 and SID 301. Thecurrent GPS coordinates may be included in Composite Proof Messages 403to the third party 500 and compared to the coordinates on record withthe third party.

An ‘Application Programming Interface’ (API) 501 is provided by thethird party 500 as the gateway through which SID 301, ASID 401, andsecond party computer systems 600, 602, 604, interact with the automatedthird party computer systems. In some examples, the API layer 501 may beaccessible through the public internet using industry standard protocols(e.g. https).

Second parties second party computer systems 600, 602, 604, may useconventional websites (or specially secured networks, such as classifiedgovernment networks) to communicate with SIDs 301 and/or intermediarysystems like computer system 610, and may do so using internet standardcommunication protocols (e.g. https), unless the network requires otherprotocols. Any exchange 305 between parties, not involving sensitivedata as discussed herein, may occur using these internet standardprotocols without any involvement of the third party 500.

If an exchange between the first party and second party involves thetransmission of sensitive data where the second party requiresassurances of the personal (human) identity of the owner-user 300 thatis using SID 301, messages 306 may be generated by the SID. One part ofthe message 306 may include the sensitive data along with additionalinformation sent to the second party computer system (e.g. 600, 602,604) in a structured unit comprising one or more of:

-   -   1. public serial number of the SID, unencrypted    -   2. sensitive data owned by the owner-user, encrypted with a        first party SID encryption key    -   3. non-public first party SID serial number, encrypted with a        first party SID encryption key    -   4. timestamp, encrypted with a first party SID encryption key    -   5. single use transaction code, encrypted with a first party SID        encryption key

At the same time the structured unit containing the owner-user'ssensitive data in sent to the second party website or network, the SIDsends to the API layer 501 a ‘check message’ containing one or more of:

-   -   1. public serial number of the SID, unencrypted    -   2. non-public SID serial number, encrypted with a first party        SID key    -   3. timestamp, encrypted with a first party SID encryption key    -   4. single use transaction code (e.g. same code as in structured        unit for second party), encrypted with a first party SID        encryption key

The check message may be used to validate the structured data unit sentby the second party to the third party API layer 501 though an internet(or other) link 607 between them.

Using a conventional, secure internet connection to the third party API501, the second party computer system (600, 604) may transmit astructured data unit containing sensitive data encrypted with the firstparty SID encryption key to the third party 500 where it is decryptedand validated. The third party 500 may be the issuer of the first partyencryption keys stored in the SID and may maintain copies of these keys.This enables the decryption and validation process and relieves thesecond party of the burden of storing (and potentially exposing tohackers) the sensitive data owned by the first party.

Once the structured data from 306 and 607 is decrypted and validated,the result may be either immediately returned to the second partycomputer system (e.g. 600, 604) or returned in encrypted form using akey issued to the second party by the third party, via message 608.

The third party 500 may record the time each message arrives at the APIlayer 501. In some examples, all validation messages come in pairs. Oneis the call made to the API 501 by the second party and the other is thecheck message sent directly to the third party 500 by the SID 301.Either message may arrive first. When the first of the two messagesarrives, the third party software system listens for the second message.When both messages are received, the third party software compares thearrival times to calculate a delta time 506, ensuring that they areseparated by no more than a specific but small time span.

By adding this additional layer of timestamp validation, hackers will beless likely to compromise the system.

This same timing procedure may be applied to the authorization processinvolving authorization message 412 and composite proof messages 403 forDevice Initialization and User Identity Verification Proceduresdescribed further below with respect to FIG. 9.

Once the third party agent 400 has successfully verified the trueidentity of the owner-user 300 and initialized the SID 301 by scanningwith and storing into the memory of the SID 301 the owner-user'sbiometric reference data, the ASID 401 sends an electronic message toboth the SID 301 via a short range radio link 311 and, simultaneously,to the third party 500. This ‘authorization proof message’ 412 maycontains the following information:

-   -   1. public serial number of the ASID 401, unencrypted    -   2. non-public third party ASID serial number, encrypted with a        third party ASID encryption key    -   3. third party ASID 301 GPS coordinates, encrypted with a third        party ASID encryption key    -   4. single use transaction code, encrypted with a third party SID        encryption key    -   5. timestamp, encrypted with a third party ASID encryption key

Once the SID 301 receives an authorization proof message 312, it isincluded in a ‘composite proof message’ 403 which is sent to the thirdparty 500 at nearly the same time (within some very small tolerance)that the ASID 401 sends the authorization proof message to the thirdparty 500. The composite message may contain the following information:

-   -   1. public serial number of the SID 301, unencrypted    -   2. non-public first party SID serial number, encrypted with a        first party SID encryption key    -   3. the (entire) authorization proof message 412, encrypted with        a first party SID encryption key    -   4. single use transaction code (same code as authorization proof        message 412), encrypted with a first party SID encryption key    -   5. timestamp, encrypted with a first party SID encryption key

It some examples, in the composite proof message 403, the authorizationproof message 412 may be encrypted twice, once with a third party ASIDencryption key and then a second time as part of the composite proofmessage where it is encrypted again with a first party SID encryptionkey.

When the third party 500 receives both the third party ASIDauthorization proof message 412 and the first party SID composite proofmessage 403, the third party 500 may send a response message 514 back tothe third party ASID 401 containing:

-   -   1. authorization response code, encrypted with a third party        ASID encryption key    -   2. timestamp, encrypted with a third party ASID encryption key

The third party ASID response message 514 is decrypted by softwarerunning on the ASID 401. The third party ASID software may use the shortrange radio link with the SID 301 to check to see if the SID 301 hasreceived a counterpart response message 515 from the third party 500.When both response messages are received, the software running on thethird party ASID 401 compares the authorization response codes from bothmessages to ensure they are the same. It also checks that the timestampsdiffer by no more than a specific but small time span.

When the third party 500 receives both the third party ASIDauthorization proof message 412 and the first party SID composite proofmessage 403, the third party 500 may send a response message 515 back tothe SID 301 containing:

-   -   1. authorization response code, encrypted with a first party SID        encryption key    -   2. timestamp, encrypted with a first party SID encryption key

The first party SID response message 515 is decrypted by softwarerunning on the SID 301. The first party SID software allows the thirdparty ASID 401 to read the values of the decrypted response messageauthorization response code and timestamp.

FIG. 10 shows additional details regarding Secure Identity Device DataHandling and Cryptography Procedures.

As shown in FIG. 10 the ‘First Party’ consists of a human being (person)300 and SID 301. Communications to and from SID 301 and the third partyAPI 501 (and other third party infrastructure 520-523) may occur viaexchange 318 during the following operations:

-   -   1. third party ASID 401 initialization    -   2. SID 301 initialization and owner-user 300 identity        verification by a third party agent 400    -   3. identity verification events when sensitive owner-user data        or second party login or transaction data is transported across        secure or unsecure internet connections

Communications to and from a second party and the third party API 501(and other third Party infrastructure 520-523) may occur via exchange619 during the following operations:

-   -   1. second party requests for first party SID data unit        decryption and first party owner-user identity verification    -   2. third party responses to second party requests for first        party SID data unit decryption and first party owner-user        identity verification (response may or may not be encrypted with        a key issued to the second party 602 by the third party 500)

The technology infrastructure operated by the third party 500 built inlayers with each layer removing the cryptographic operations fartheraway from the public internet and exposure to hackers. Layer 520 mayinclude a collection of servers running the third party APIs 501 whichhandle communications to and from SIDs 301, ASIDs 401, and second partycomputer systems 600, 602, 604. This layer is naturally exposed to thepublic internet through public-facing but encrypted standard internetprotocols (e.g. https).

A second layer 521 of computer servers run software that manages allbusiness logic required to deliver third party 500 services rendered tofirst and second parties. Computer servers in this layer may beprotected by a firewall which allows only network traffic to and fromthe public-facing servers in the 1^(st) layer 520 to pass through. Thelayer 521 network may be completely separate from all other internalcomputer networks operated by the third party 500. This means thatcomputers in the layer 521 network are not accessible from computers inother third party 500 internal networks such as those used for routinecorporate operations (e.g. email, human resources, accounting, etc.).

The layer 521 servers run software that manages communications to andfrom specially designed computers 523 that handle all cryptographicoperations including message decryption and encryption and generation ofnew encryption keys. This communication occurs through a non-standard,proprietary pathway designed to allow automated transmission of messageswhile isolating the layer 523 cryptographic computers from directexposure to the layer 1 servers 520 and the public internet.

The most secure part of the third party infrastructure 500 is layer 523which is comprised of specially built computers running a custom-builtoperating system designed to allow an extremely narrow range ofcommunications into and out of the computers. These computers executeall cryptographic operations including message decryption and encryptionand generation of new encryption keys. They are not connected to anyconventional computer network and are separated from all other computersin all other networks by an ‘air gap’ except for the proprietaryconnections 522 to the layer 521 servers.

FIG. 11 depicts additional details regarding a Personally Owned SecureIdentity Device-Secure Login Variant.

When a SID 301 is used by a owner-user 300 to log in to a second partyworkstation 610 or to send sensitive data to the second party system604, an initial handshake may be implemented between the SID and theworkstation 610 via communication link 311. The user identityverification data, along with additional information, may be sent asshown in 316. A structured communication unit may be sent to the secondparty including:

-   -   1. public serial number of the SID 301, unencrypted    -   2. log in or sensitive data required by the second party 604,        encrypted with a first party SID encryption key    -   3. non-public first party SID 301 serial number, encrypted with        a first party SID encryption key    -   4. timestamp, encrypted with a first party SID encryption key    -   5. single use transaction code, encrypted with a first party SID        encryption key

As also shown in 316, at the same time the SID 301 sends the structuredunit containing sensitive data to the second party server infrastructure604, the SID 301 sends to the third party API 501 a ‘check message’containing:

-   -   1. public serial number of the SID 301, unencrypted    -   2. non-public first party SID 301 serial number, encrypted with        a first party SID encryption key    -   3. timestamp, encrypted with a first party SID encryption key    -   4. single use transaction code (same code as in structured unit        for second party), encrypted with a first party SID encryption        key

The check message is used to validate the structured data unit sent bythe second party to the third party API 501 through the internet link607 between them.

After the SID exchange is successfully used to verify the true identityof the owner-user 300 (and the second party server infrastructure 604and/or the workstation 610 confirm that the SID 301 is communicatingwith workstation 610 via handshake or other processes) routine intranetnetwork exchanges between the second party server infrastructure 604 andthe workstation 610 used by the owner-user continue until the firstparty owner-user logs off of the workstation 610 or until the secondparty server infrastructure 604 requests that the owner-user 300 use theSID 301 to re-verify the owner-use's identity.

FIG. 12 depicts additional details regarding a second party-issuedSecure Identity Device-Secure Login Variant.

In one usage scenario, the SID 301 may be issued to an employee of asecond party company or government agency to use as a secure logindevice. The SID 301 uses short-range radio signals (Bluetooth/NFC) [11]to communicate with special software running on a nearby computer 620connected to the second party network 604, either directly or through avirtual private network.

A second party workstation 620 is used to enable user 300 to access asecond party 604 internal network or virtual private network. Theworkstation 620 may have a short-range radio communications capability(Bluetooth or NFC) 311, so that data may be exchanged between SID andthe workstation 620 or any computer that serves as an access point tothe second party 604 internet network or virtual private network.

Using a conventional, secure internet connection to the third party API501, the second party may transmit a structured data message 607containing sensitive data encrypted with the first party SID encryptionkey to the third party 500 where it is decrypted and validated. Theparty 500 may be the issuer of the first party SID encryption keys andmay maintain copies of these keys. This enables the decryption andvalidation process and relieves the second party 604 of the burden ofstoring the sensitive data owned by the first party, potentiallyexposing it to hackers.

Once the structured data message 607 is decrypted and validated by thethird party 500, the result may be either immediately returned to secondparty 604 or returned in encrypted form using a key issued to the secondparty 604 by the third party 500, via message 608.

The process may use timestamp delta time 506 validation as previouslydiscussed.

When a SID 301 is used by an owner-user 300 to log in to a second partyworkstation 620 or to send sensitive data to the second party system604, an initial handshake may be implemented between the SID and theworkstation 620 via communication link 311. The user identityverification data, along with additional information, may be sent asshown in 326. A structured communication unit may be sent to the secondparty including:

-   -   1. public serial number of the SID 301, unencrypted    -   2. log in or sensitive data required by the second party 604,        encrypted with a first party SID encryption key    -   3. non-public first party SID 301 serial number, encrypted with        a first party SID encryption key    -   4. timestamp, encrypted with a first party SID encryption key    -   5. single use transaction code, encrypted with a first party SID        encryption key

As also shown in 326, at the same time the SID 301 sends the structuredunit containing sensitive data to the second party server infrastructure604, the SID 301 sends to the third party API 501 a ‘check message’containing:

-   -   1. public serial number of the SID 301, unencrypted    -   2. non-public first party SID 301 serial number, encrypted with        a first party SID encryption key    -   3. timestamp, encrypted with a first party SID encryption key    -   4. single use transaction code (same code as in structured unit        for second party), encrypted with a first party SID encryption        key

The check message is used to validate the structured data unit sent bythe second party to the third party API 501 through the internet link607 between them. It should be noted that, in this case, since thesecond party issued the SID 301 to the user 300, there may be additionalprotocols implemented between the SID 301 and the workstation 620 toconfirm that the device is authenticated with the second party 604.

After the SID exchange is successfully used to verify the true identityof the owner-user 300 (and the second party server infrastructure 604and/or the workstation 620 confirm that the SID 301 is communicatingwith workstation 620 via handshake or other processes) routine intranetnetwork exchanges between the second party server infrastructure 604 andthe workstation 620 used by the owner-user continue until the firstparty owner-user logs off of the workstation 620 or until the secondparty server infrastructure 604 requests that the owner-user 300 use theSID 301 to re-verify the owner-use's identity.

Various aspects of the present disclosure are further described throughthe following three use cases. The scenario involves a man named JohnSmith, an employee of a defense contractor that requires the highestpossible security for its internal networks. Mr. Smith is also aconsumer who wants to handle his banking online and who makes purchasesfrom online retailers. In each use case, John Smith uses his personallyowned smartphone which is equipped with certain security featuresincluding a biometric reader. The use cases progress through Mr. Smith'swork day, each showing a different way he uses the same smartphonedevice to verify his identity.

This is possible because the independent third party acts as anarbitrator for both the first and second parties. In our use cases, Mr.Smith is the first party and his defense contractor employer is thesecond party. The independent third party identity management serviceacts in a way similar to a referee in sports match.

FIG. 13 shows a first use case of a defense contractor employee login toa company network.

Mr. Smith, arrives at his office and turns on his company computerworkstation 710. He brings his personal smartphone 712 to within a fewfeet of his workstation 710. The workstation's short range radio detectsthe presence of the smartphone 712 and cause display of a prompt (viacommunications link 716) asking John to scan his fingerprint (or anyother biometric identifier) to log in. The smartphone 712 detects allworkstations within range and displays a list in a mobile app 714. Inthis example, 3 workstations are detected but the service knows thatJohn Smith is only authorized to access the computer identified as‘ws1729.net4.tucson.contractor.net’. However, in other examples, theuser may be able select between various available and authorizednetworks. To gain access to the workstation 710, John simply scans hisfingerprint using his smartphone's biometric reader. John's smartphone712 was initialized by representative from the defense contractor'shuman resources department using procedures similar to those previouslydescribed.

FIG. 14 shows a second use case of a banking customer login to a bankwebsite

After John logs out of his company workstation, he goes home and decidesto check his bank account. In an internet browser window on homecomputer 718, he types in the address of his bank's website andnavigates to the online banking login page. John brings his personalsmartphone 712 to within a few feet of his home computer and thecomputer's short range radio detects the presence of the smartphone 712.The computer 718 (or third party message) then causes the smartphone 712and/or computer 718 to display a prompt asking John to scan hisfingerprint to log in 720.

Recall that in Use Case 1, John's smartphone 712 was initialized by ahuman resources representative at his defense contractor's offices.Because the online bank trusts the validity of the defense contractor'sin-person, real world identity verification, it trusts the identityconfirmed by his personal smartphone 712. This means that John canuniversally verify his identity at any website accepting the credentialunless his smartphone 712 is lost, destroyed, or tampered with.

FIG. 15 shows a third use case of a consumer making an online purchaseincluding authorizing payment for purchase from an online retailer.

Once he has checked his online bank account, John decides to search forand buy a new television set. Using his smartphone's web browser, hesearches the web for the best price. He navigates to an online retailerhe has never visited before and, because they offer the best price, heselects the television make and model he wants and navigates to thewebsite's check out page 722. The web application communicates with thesmartphone's identity verification software through the browser toconfirm his identity. The identity verification software presents Johnwith the total price, including shipping and sales tax and then asks himto select a payment account 734, shipping address 736, email address732, etc. It then asks John to scan his fingerprint to authorize thepayment in authorization screen 724. As in Use Case 2, the onlineretailer trusts the identity verification because it trusts both thesecond party—John's defense contractor employer—and the third partyidentity management service.

This use case illustrates two benefits for ecommerce.

First, John does not have to enter any data into the website even if, asin this example, this is the first time he has visited the onlineretailer. All data necessary to complete the purchase is stored insideJohn's smartphone and is sent in encrypted form to the retailer after asuccessful biometric scan.

Secondly, hacker attacks on the online retailer are stopped because thewebsite no longer needs to store large numbers of credit card accountsand other sensitive information. The present invention eliminates theneed for any online retailer to store any sensitive information incentralized databases because John's personal data, including hisfingerprint reference data, is stored in a tamper-resistant smartphone.Online retailers, online tax filing services, and other handlers ofsensitive personal data use the data on an as-needed basis. Data isdispersed across millions of devices, removing the primary reasonhackers target retailers and other web-based businesses. For example,the encrypted data provided by John may only be decrypted by a thirdparty service that has his specific first party SID keys.

The networks described herein can connect various wired, optical,electronic and other known networks to exchange information among, forexample, servers, computers, mobile device(s), picocell network devices,mobile computer(s), and any other devices with similar functionality.The above-described devices and materials will be familiar to those ofskill in the computer hardware and software arts and need not beindividually or exhaustively depicted to be understood by those of skillin the art. The hardware elements described above may be configured toact as one or more modules for performing the operations describedabove.

In addition, embodiments of the present invention further includecomputer-readable storage media that include program instructions forperforming various computer-implemented operations as described herein.Unless otherwise specified, the media may also include, alone or incombination with the program instructions, data files, data structures,tables, and the like. The media and program instructions may be thosespecially designed and constructed for the purposes of the presentsubject matter, or they may be of the kind available to those havingskill in the computer software arts. Examples of computer-readablestorage media include magnetic media such as flash drives, hard disks,floppy disks, and magnetic tape; optical media such as CD-ROM disks;magneto-optical media; and hardware devices that are speciallyconfigured to store and perform program instructions, such as read-onlymemory devices (ROM) and random access memory (RAM). Examples of programinstructions include both machine code, such as produced by a compiler,and files containing higher level code that may be executed by thecomputer using an interpreter.

The description given above is merely illustrative and is not meant tobe an exhaustive list of all possible embodiments, applications ormodifications of the invention. Thus, various modifications andvariations of the described methods and systems of the invention will beapparent to those skilled in the art without departing from the scopeand spirit of the invention. Although the invention has been describedin connection with specific embodiments, it should be understood thatthe invention as claimed should not be unduly limited to such specificembodiments.

1. A computer-implemented method of providing third party network userauthentication for a first party user attempting to access a networkservice provided by a second party, said method comprising, at a thirdparty authentication server: registering a network service; registeringa user device with a first user; generating a first encryption keyassociated with the user device; receiving a first encrypted checkmessage from the user device; receiving a second encrypted check messagefrom the network service; decrypting the first check message and thesecond check message using the first encryption key; comparingtimestamps included in the first check message and the second checkmessage; authorizing at least one of a network access or a transactionbetween the first user and the network service based at least in part ona difference between the timestamps being less than a threshold; andsending an authorization message to the network service based on saidauthorizing.
 2. The method of claim 1, wherein registering the userdevice with the first user includes: acquiring biometric data of theuser via an agent of the third party; storing the biometric data on theuser device as biometric reference data using computer instructions andan encryption key provided by the third party; reacquiring the user'sbiometric data via a test scan using a biometric scanner of the userdevice; verifying that the biometric reference data is accurately storedon the user device by comparing the test scan to the biometric referencedata; and causing the user device to delete said computer instructionsbased on the verification that the biometric reference data isaccurately stored on the user device.
 3. The method of claim 1, whereinthe network service includes a computer network of the second party, andthe second encrypted check message is based at least in part on acommunication between the user device and a workstation connected to thecomputer network.
 4. The method of claim 1, wherein the network serviceincludes a network banking website, and the second encrypted checkmessage is based at least in part on a communication between the userdevice and a workstation connected to the network banking website. 5.The method of claim 1, wherein the network service includes an onlinepurchase, and the second encrypted check message is based at least inpart on confirming the identity of a person operating the user device.6. The method of claim 1, wherein: registering the user device with thefirst user includes storing biometric data of the first user on the userdevice as biometric reference data using computer instructions providedby the third party; the first check message is sent from the user devicebased at least in part on a comparison between current biometric dataand the biometric reference data; and the second check message is sentbased at least in part on the comparison between current biometric dataand the biometric reference data.
 7. The method of claim 6, wherein theuser's biometric data is not communicated to, or maintained by, thenetwork service or the third party.
 8. The method of claim 1, wherein:registering the user device with the first user includes configuring aone-time password service associating the first user and the user deviceusing computer instructions provided by the third party, at least oneparameter used by one-time password service being stored locally on theuser device and inaccessible by the third party; the first check messageis sent from the user device based at least in part on an identity checkperformed via the user device using the one-time password service; andthe second check message is sent based at least in part on the identitycheck.
 9. The method of claim 1, wherein the second check message isbased at least in part on the network service confirming that the userdevice is authorized to access the network service.
 10. A method ofregistering a secure identity user device, said method comprising, at athird party authentication server: receiving an authorization proofmessage from an authorizing agent, the authorization proof messageincluding an authorization device identifier, location information, anda timestamp; receiving a composite proof message via the user device,the composite proof message including a unique user device identifier,an encrypted version of the authorization proof message, and atimestamp; confirming that the user device is located within a limited,predetermined, geographic area associated with the authorizing agent;generating a first encryption key associated with the user device basedat least in part on the confirmation that the user device is within thelimited, predetermined, geographic area and a comparison of theauthorization proof message and the composite proof message; and sendingthe first encryption key to at least one of the authorizing agent andthe user device.
 11. The method of claim 10, further comprising:receiving a first encrypted check message from the user device;receiving a second encrypted check message from a network serviceprovider; decrypting the first check message and the second checkmessage using the first encryption key; comparing timestamps included inthe first check message and the second check message; authorizing atleast one of a network access or a transaction between the first userand the network service provider based at least in part on a differencebetween the timestamps being less than a threshold; and sending anauthorization message to the network service provider based on saidauthorizing.
 12. The method of claim 11, wherein the first and secondcheck messages are based at least in part on a biometric userconfirmation performed by the user device.
 13. The method of claim 10,wherein comparing the authorization proof message and the compositeproof message includes comparing the timestamp information anddecrypting the encrypted authorization proof message.
 14. The method ofclaim 10, further comprising authorizing biometric data to be stored onthe user device based at least in part on confirmation that the userdevice is located in proximity to the authorizing device.
 15. A secureidentity user device, comprising: a processor; a biometric informationidentification module; memory including instructions configured to:establish local communication with an authorization device; receive anauthorization proof message from the authorization device, theauthorization proof message including an authorization deviceidentifier, location information, and a timestamp; generate a compositeproof message including a unique user device identifier, an encryptedversion of the authorization proof message, and a timestamp; send thecomposite proof message to a device authorization service; receive afirst encryption key via at least one of the authorization device andthe device authorization service; and authenticate the user device witha second party service provider including: encrypt a first check messageusing the first encryption key; encrypt a second check message using thefirst encryption key; send the first check message to the deviceauthorization service; send the second check message to the serviceprovider; wherein, the first check message and the second check messageinclude the user device identifier and a timestamp.
 16. The user deviceof claim 15, further comprising instructions configured to: acquirebiometric data of the user based at least in part on local communicationwith the authorization device; store the biometric data on the userdevice as biometric reference data using first computer instructions andan encryption key provided by the device authorization service;reacquire the user's biometric data via a test scan using a biometricscanner of the user device; verify that the biometric reference data isaccurately stored on the user device by comparing the test scan to thebiometric reference data; and delete said first computer instructionsbased on the verification that the biometric reference data isaccurately stored on the user device.
 17. The user device of claim 16,wherein the first and second check messages are based at least in parton a biometric user confirmation performed by the user device using thebiometric reference data.
 18. The user device of claim 16, wherein thebiometric data is stored on the user device based at least in part onconfirmation that the user device is located in a specified radius ofthe authorizing device.
 19. The user device of claim 16, wherein thebiometric reference data is configured such that a user of the userdevice cannot change the biometric reference data without participationof the device authorization service.
 20. The user device of claim 16,further comprising a data delete circuit configured to automaticallyrender inoperable the biometric reference data based on physicaltampering with the user device.